EU's high court nixes Safe Harbor deal: what that means for US tech firms

The Safe Harbor pact enabled US companies to self-check that they were meeting the European Union's high standards for data security, but a court ruling Tuesday invalidates Safe Harbor, requiring international watchdogs to check on data security.

A woman walks by the entrance to the European Court of Justice in Luxembourg, Monday. Europe's highest court has ruled in favor of an Austrian law student who claims a trans-Atlantic data protection agreement doesn't adequately protect consumers.

Geert Vanden Wijngaert/AP

View photo

An international court decision ended 15 years of relatively painless data sharing among continents by ruling in favor of privacy but against a Safe Harbor pact.

The Tuesday ruling by the European Union Court of Justice is a victory for privacy advocates but a blow to the world's largest trading agreement – between the United States and the European Union – because the Safe Harbor pact had enabled tech companies to share data across the Atlantic without separate security checks from all the involved governments.

Safe Harbor was designed in 2000 to make trade easier by allowing more than 5,000 US companies to simply self-check that they are meeting EU standards for data security. The EU limits data-sharing with countries deemed lax on privacy, a list that particularly includes the US after Edward Snowden's allegations of en masse data collection by the US government.

The court ruling to remove Safe Harbor represents a culture clash, because the EU views data privacy as a fundamental right, while the US is willing to override that right in favor of national security.

The decision will affect major tech companies that require massive amounts of data sharing, such as Facebook, and Amazon.com, which stores data from European companies on its retail site.

"This is extremely bad news for EU-US trade," Richard Cumbley, the Global Head of technology, media and telecommunications at Linklaters law firm told Reuters. "Without Safe Harbor, (businesses) will be scrambling to put replacement measures in place."

The decision does not automatically stop data transfers, The Wall Street Journal reports. What it does do is assign international tech regulators the right and responsibility to investigate the security standards of US companies. Before, regulators could not do so because of Safe Harbor.

Many companies that have already put in place European Union-standard security methods should not need a significant policy change. What is different is that watchdogs no longer have to take such companies at their word.

"Companies will be working in a legal vacuum," Paul Meller, communications director for tech-lobbying outfit Digital Europe, told the Journal. "Many companies would be exposing themselves to legal action."

US companies that share data with countries in the European Union and regulators alike may now have a lot more work to do, because Safe Harbor had offered a blanket defense from lawsuits and investigations before.